Device and method for the redundant voltage supply of safety-relevant systems

ABSTRACT

The present invention discloses a device and a method for the redundant voltage supply of safety-relevant systems, in particular in motor vehicles. Both a failure of a voltage supply to safety-relevant systems is detected and a switchover to another voltage supply is initiated in response to this, and it is also ensured that even if one or two drive devices for switching over the voltage fail, a fallback level is available which then switches over the voltage. This ensures, both if a voltage supply to safety-relevant systems fails and if drive devices fail, that voltage is nevertheless switched over and in this way the availability of safety-relevant systems is considerably improved.

The invention relates to a device and a method for the redundant voltagesupply of safety-relevant systems, in particular in motor vehicles.

To date, various systems with a redundant voltage supply have beenproposed for ensuring the supply to safety-relevant systems, inparticular in motor vehicles.

WO 99/42331 discloses a voltage-supply circuit for safety-relevantsystems, for example electric brakes, in motor vehicles, in whichcircuit the systems have their own associated additional batteries whichcan be connected to a battery of a vehicle electrical system and/or tothe generator using a charging circuit and switchover unit and via meansfor monitoring and distributing the electric power. In normal operation,the safety-relevant systems are supplied from their associatedadditional battery, a switchover is made if there is fault with theadditional battery or if the additional battery is excessivelydischarged, and the safety-relevant systems are supplied directly fromthe battery of the vehicle electrical system. On account of thisswitchover to the battery of the vehicle electrical system if there isno longer sufficient power in the additional battery, there is no needfor a monitoring circuit for the additional battery.

Furthermore, DE 100 53 584 A1 discloses a redundant voltage supply forsafety-relevant loads. This device has a first voltage supply, which isarranged in the vehicle electrical system, and a second voltage supply,the first and second voltage supplies being connected by a decouplingelement. The decoupling element, for example a diode, a switch withcurrent-direction detection or field-effect transistors with internalshort circuit-current detection, ensures a directed flow of current fromthe first to the second voltage supply. In addition, the first voltagesupply, a second decoupling element and the second voltage supply areconnected to the safety-relevant load by means of a third decouplingelement and ensure a directed flow of current. If the voltage of thefirst voltage supply falls below that of the second voltage supply,voltage is transmitted through the decoupling element, with the resultthat the second voltage supply takes over the function of supplyingvoltage to the safety-relevant load.

Finally, DE 198 55 245 A1 specifies a redundant voltage supply forelectrical loads in a vehicle electrical system which is used, inparticular, in electrically operated brakes. In order to ensure thevoltage supply, the electrical load is simultaneously connected to twoseparate voltage paths via disconnecting modules, said voltage pathseach being connected to a dedicated voltage store viacharge-disconnecting modules. If a fault, which endangers the voltagesupply for the load, occurs in one supply path, this supply path isopened by means of suitable switching means and the function ofsupplying voltage is taken over solely by the voltage path which isoperational. Disconnecting modules and charge-disconnecting modules canbe integrated in a battery connector.

The prior art described above thus provides various solutions forimproving the fail-safety of safety-relevant systems, to be precise inthe event of a failure of the voltage supply, as a result of which, forexample, a braking or steering action would no longer be availablewithout a fallback level in the case of an electrohydraulic brake (EHB),an electrohydraulic steering system (EHL) etc., by switching over to aback-up power supply.

However, these conventional embodiments do not contain a safety functionwhich could also compensate for a failure of the drive logic whichlikewise may also lead to a complete failure of safety-relevant systems,for example of the electrohydraulic brake (EHB), the electrohydraulicsteering system (EHL) etc., since a switchover in the event of a voltagefailure is then no longer possible. To be precise, specific voltages inthe vehicle are usually made available to the vehicle electrical systemby means of driven relays and are driven exclusively.

It is therefore the object of the present invention to design a devicefor the redundant voltage supply of safety-relevant systems with whichboth a failure of the voltage supply and a failure of the drive logicfor switching over in the event of a failure of the voltage supply canbe compensated for in a simple and cost-effective manner.

This object is achieved by a device for the redundant voltage supply ofsafety-relevant systems which has the features of claim 1 and by amethod for the redundant voltage supply of safety-relevant systems whichhas the features of claim 3.

In the device according to the invention and in the method according tothe invention, both monitoring of whether different voltages are presentacross safety-relevant systems and monitoring of whether a first drivedevice and/or a second drive device has/have switched on a voltage arethus carried out as the first fallback level, and if the first andsecond drive devices fail, a third drive device switches on the voltage.

In this way, the availability of the voltage supply increases onignition “on” and a considerable increase in the fail-safety as a resultof the formation of two fallback levels which can likewise perform theswitchover.

Furthermore, the device according to the invention for the redundantvoltage supply of safety-relevant systems represents an extremelycost-effective solution since the individual drive devices for drivingexclusive relays for one voltage supply in each case are already presentin conventional devices and all that is additionally required is toprovide the connection and the exchange of information via communicationchannels, for example the CAN bus, and to make it possible for each ofthe drive devices to drive all of the relays.

These and further objects, features and advantages of the invention areexplained in more detail below with reference to the drawing, in which:

FIG. 1 is a simplified block diagram of the device according to theinvention for the redundant voltage supply of safety-relevant systems,and

FIG. 2, which consists of FIGS. 2 a and 2 b, is a flowchart whichillustrates the functional sequence of the method according to theinvention for the redundant voltage supply of safety-relevant systems.

The following text firstly describes in more detail the simplifiedstructure of the device according to the invention for the redundantvoltage supply with reference to FIG. 1.

In FIG. 1, 11 denotes a CAN bus as an example of communication channelsvia which communication signals are transmitted. The device according tothe invention for the redundant voltage supply has a first drive device1 which monitors for the presence of a voltage across one or moresafety-relevant system or systems 5 via a line Sp1 and, if no voltage ispresent there, can drive one or more relays contained in a relay unit 4by means of a control signal St1, so that a voltage is then applied tothe safety-relevant system or systems 5 again. In addition, the firstdrive device 1 outputs a request message Anf1 to the CAN bus 11 if oneor more relays in the relay unit 4 is to be driven in order tore-establish a voltage supply to the safety-relevant system or systems5. These relays of the relay unit 4 switch on and off a voltage supplyfor safety-relevant electrical systems 5, for example anelectrohydraulic brake (EHB), an electrohydraulic steering system (EHL)etc.

Furthermore, the device according to the invention comprises a seconddrive device 2 which monitors for the presence of a voltage across oneor more safety-relevant system or systems 5 via a line Sp2 and, if novoltage is present there, can likewise drive the relays in the relayunit 4. If the second drive device 2 receives the request message Anf1from the first drive device 1 via the CAN bus 11, it checks whether thefirst drive device 1 has initiated switching of the relay unit 4, thatis to say whether the voltage supply of the one or more safety-relevantsystems 5 has been re-established. If the relay unit 4 has not switchedand in addition it is determined via line Sp2 that no voltage is appliedto the safety-relevant system or systems 5, the second drive devicedrives the relay or relays in the relay unit 4 in order to re-establisha voltage supply. The second drive device 2 is also designed in such away that it sends a request message Anf2 to the CAN bus 11 if it cannotswitch the relay or relays in the relay unit 4 despite the absence ofvoltage across the safety-relevant system or systems 5.

In addition to these two first and second drive devices 1 and 2, thereis also a third drive device 3 which monitors for the presence of avoltage across one or more safety-relevant system or systems 5 via aline Sp3 and, if no voltage is present there, can likewise drive therelays in the relay unit 4. If the drive device 3 receives both arequest message Anf1 from the first drive device 1 and a request messageAnf2 from the second drive device 2 via the CAN bus and detects theabsence of a voltage across the safety-relevant system or systems 5, thedrive device 3 drives the relay unit 4 in such a manner that the relayor relays are/is switched over, so that a voltage supply to thesafety-relevant system or systems 5 is re-established.

The method according to the invention for the redundant voltage supplyof safety-critical systems is explained in greater detail in the textwhich follows with reference to FIG. 2, which consists of FIGS. 2 a and2 b.

Initially, in step 1, the drive device 1 monitors via a line Sp1 whethera voltage can be detected across one or more safety-relevant systems 5.If this is the case, the sequence is terminated and returns to the start(monitoring) again.

If it is determined in step S1 that no voltage is applied to one or moresafety-relevant systems 5, in step S2 the first drive device 1 drivesthe relay unit 4 by means of a control signal St1 so that a voltage isagain applied to the safety-relevant system or systems. Otherwise, thesequence ends after step S1.

Subsequently, in step S3, a request message Anf1, which states that itis necessary to switch over the relay in order to supply voltage, isoutput to the CAN bus 11. This request message Anf1 is received by thesecond drive device 2 in step S4. Following this, the second drivedevice 2 checks in step S5 whether the first drive device 1 hassuccessfully driven/switched over the relay unit 4. If this is the case,the sequence ends. Otherwise, the sequence proceeds to step S6, in whichit is determined via a line Sp2 whether a voltage is applied to one ormore safety-relevant systems 5. In the affirmative, the sequence ends,and in the negative case, the sequence proceeds to step S7, in which acheck is made as to whether it is possible for the second drive unit 2to drive/switch the relay unit 4. If driving/switching is judged to bepossible in step S7, then in step S8 the second drive device 2drives/switches the relay unit 4 by means of the control signal St2 andthen the sequence ends.

If it is not possible for the second drive device 2 to drive/switch therelay unit 4 for whatever reasons, for example due to an interruption inthe line for the control signal St2, the second drive device 2 outputs,in a step S9, a request message Anf2 to the CAN bus 11. In step S10, thethird drive device 3 receives this request message Anf2 from the seconddrive device 2 together with the request message Anf1 from the firstdrive device 1. This is followed in step S11 by the third drive device 3driving/switching the relay unit 4 by means of a control signal St3. Thesequence then ends.

The above-described device according to the invention and the method forthe redundant voltage supply of safety-relevant systems iscost-effective to implement since the individual drive devices fordriving exclusive relays for one voltage supply in each case are alreadypresent in conventional devices and all that is additionally required isto provide the connection and the exchange of information via the CANbus, as one example of communication channels, for example also controllines, LIN etc., and to make it possible for each of the drive devicesto drive all of the relays.

In this way, a reliable device and a method for the redundant voltagesupply of safety-relevant systems can be realized in a straightforwardand cost-effective manner, without a large amount of additional outlayon circuitry and components.

Here, the advantage of the device according to the invention and of themethod for the redundant voltage supply of safety-relevant systems isthe double redundancy for switching the relays. Ensuring the provisionof special-purpose voltage supplies leads to a higher availability levelof safety-critical systems.

It goes without saying that a person skilled in the art may, in place ofthe three drive devices used in the preferred exemplary embodiment, alsouse more drive devices or in each case 3 drive devices from amongst themultiplicity of drive devices in the vehicle for relays.

1. A device for the redundant voltage supply of safety-relevant systems,in particular in motor vehicles, having: at least one first drive device(1), one second drive device (2) and one third drive device (3), each ofthese drive devices being designed to drive relays in a relay unit (4)for switching over voltage supplies of safety-relevant systems (5),characterized in that the drive devices (1, 2, 3) are connected to acommunication channel (11), the first and second drive devices (1, 2)each have a device for monitoring a voltage applied to thesafety-relevant systems (5), the first drive device (1) can trigger aswitching process of the relay unit (4) and output a request message(Anf1) to the communication channel (11) if the device for monitoring avoltage applied to the safety-relevant systems (5) detects that novoltage is applied; the second drive device (2) has a device forchecking whether the first drive device has driven and switched therelay unit (4), and, if the device for checking determines that thefirst drive device has not driven or has not switched the relay unit,and the device for monitoring a voltage applied to the safety-relevantsystems (5) detects that no voltage is applied, said second drive devicecan trigger a switching process of the relay unit (4) and, if it is notpossible to trigger a switching process of the relay unit (4), canoutput a further request message (Anf2) to the communication channel(11), and the third drive device (3) can receive from the communicationchannel (11) the request messages (Anf1, Anf2) from the first and seconddrive devices (1, 2) and can trigger a switching process of the relayunit (4) when both request messages (Anf1, Anf2) are received.
 2. Thedevice as claimed in claim 1, characterized in that another unit forswitching over voltages can also be used in place of the relay unit (4)having relays.
 3. The device as claimed in claim 2 characterized in thatthe communication channel (11) is a CAN bus.
 4. A method for theredundant voltage supply of safety-relevant systems, in particular inmotor vehicles, characterized by the steps: (S1) a first drive device(1) monitors via a first line (Sp1) whether a voltage can be detectedacross one or more safety-relevant systems (5); return to the start ifthis is the case; (S2) if it is determined in step S1 that no voltage isapplied to one or more safety-relevant systems (5), the first drivedevice (1) drives a relay unit (4) by means of a first control signal(St1) so that a voltage is again applied to the safety-relevant systemor systems (5); (S3) the first drive device (1) outputs to acommunication channel (11) a first request message (Anf1) which statesthat it is necessary to switch over at least one relay of the relay unit(4) in order to supply voltage; (S4) the second drive device (2)receives the first request message (Anf1); (S5) the second drive device(2) checks whether the first drive device (1) has successfullydriven/switched over the relay unit (4); return to the start if this isthe case; (S6) the second drive device (2) determines via a second line(Sp2) whether a voltage is applied to one or more safety-relevantsystems (5); return to the start in the affirmative; (S7) check whetherit is possible for the second drive device (2) to drive/switch the relayunit (4) in the negative case; (S8) the second drive device (2)drives/switches the relay unit (4) by means of a second control signal(St2) if driving/switching is judged to be possible in step S7, thenreturn to the start; (S9) the second drive device (2) outputs a secondrequest message (Anf2) to the communication channel (11) if it is notpossible for the second drive device (2) to drive/switch the relay unit(4) for whatever reasons, for example due to an interruption in the linefor the second control signal; (S10) the third drive device (3) receivesthe second request message (Anf2) from the second drive device (2)together with the first request message (Anf1) from the first drivedevice (1); (S11) the third drive device (3) drives/switches the relayunit (4) by means of a third control signal (St3); then return to thestart.
 5. The device as claimed in claim 1 characterized in that thecommunication channel (11) is a CAN bus.